Jump to content

Javascript, AES, Sha1, Logging in, and Security of it all.


Zimmer
 Share

Recommended Posts

Ok I have been doing some simple webpages and wanted to put some easter eggs in it. So one of them it a login page but I didn't want people to be able to change the code allowing the password to be different. I don't have acsess to server side scripting so I decided to try some stuff with JavaScript.

function validate_login(AESText, SHA_RU, SHA_RP)
{
//AESText - Encrypted URL
//SHA_RU - Real Username SHA
//SHA_RP - Real Password SHA
//Confirm Login Secure I think, I hope, but I don't know
//Username
//938di389e
var password = document.getElementById('password').value//Retrievs User Entered Pass
var username = document.getElementById('username').value//Retrievs User Entered Username
var SHA_Pass = SHA1(password)//Calculates SHA of USER PASS
var SHA_User = SHA1(username)//Calculates AHS of USER USERNAME
if (SHA_Pass == SHA_RP && SHA_User == SHA_RU)//Confirmes Correct Pass Word SHA_RU, SHA Real User SHA_RP, SHA Real Pass
{
var pass = password+'3kx'+username//Sets the pass to decrypt AESText
var text = AESDecryptCtr(AESText , pass , 256)//Tries to decrypt AESText
//Don;t need to pass and user are correct so decryption correct --> if (sha_text == AES_R_SHA)//Compares the sha of the attempted decryption and the real sha hash of decryption
//alert(SHA1(text))
//alert(sha_text)
//alert(text)
location.href = text//Redirect
}
else
{
location.href = 'denied.html'//If decryption not correct redirect to denied.html
}
}

With this code it takes the url to redirect to if the user and pass are correct as an AES encrypted string. It also takes the real password and usernames SHA1 Hash. Then I get the user's inputted pass and username. I create the SHA1's of those inputs and compare them. IF they are correct I then use the inputted pass and username to create a key to decrypt the AES text. I did have it compare the AES SHA1 Hashes but I figure if the pass and user SHA1 hashes are correct that so will the AES key and then the text. it then redirects to the now decrypted url. if any of these check fail it redirects to denied.html.

I see several vulnerabilities.

1) Brute forcing all the urls on the server and finally finding the url, so I figure this is more obscurity.

2)Brute Force the SHA1 Hashes or AES Key to decrypt the AES text.

3) A vulnerability I don't think would work is injecting the wrong SHA1 hashes because even if they worked the input password and username still would not produce the wrong AES Key.

Anyone else see any way to solve these problems or see any other possibilities.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...